CVE-2022-21677 — MEDIUM (4.3)

Q: How severe is CVE-2022-21677?

CVE-2022-21677 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-21677?

Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse.

Vulnerability Description

Discourse is an open source discussion platform. Discourse groups can be configured with varying visibility levels for the group as well as the group members. By default, a newly created group has its visibility set to public and the group's members visibility set to public as well. However, a group's visibility and the group's members visibility can be configured such that it is restricted to logged on users, members of the group or staff users. A vulnerability has been discovered in versions prior to 2.7.13 and 2.8.0.beta11 where the group advanced search option does not respect the group's visibility and members visibility level. As such, a group with restricted visibility or members visibility can be revealed through search with the right search option. This issue is patched in `stable` version 2.7.13, `beta` version 2.8.0.beta11, and `tests-passed` version 2.8.0.beta11 versions of Discourse. There are no workarounds aside from upgrading.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Discourse	Discourse	<= 2.7.12

Related Weaknesses (CWE)

CWE-200

References

https://github.com/discourse/discourse/commit/fff8b98485561b12d070c0a8c39f4e5038PatchThird Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-768r-ppv4-5r27Third Party Advisory
https://github.com/discourse/discourse/commit/fff8b98485561b12d070c0a8c39f4e5038PatchThird Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-768r-ppv4-5r27Third Party Advisory

FAQ

What is CVE-2022-21677?

CVE-2022-21677 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Discourse is an open source discussion platform. Discourse groups can be configured with varying visibility levels for the group as well as the group members. By default, a newly created group has its...

How severe is CVE-2022-21677?

CVE-2022-21677 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-21677?

Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse.